From 9676f0ada2b1f52e5d65e31e4186b87198a147f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Sat, 9 Dec 2023 04:08:41 +0100 Subject: [PATCH] feat(miniflux): set up SSO --- secrets/authelia/oidc-miniflux.age | 13 +++++++++++++ secrets/secrets.nix | 1 + services/authelia.nix | 13 +++++++++++++ services/miniflux.nix | 18 +++++++++++++++--- 4 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 secrets/authelia/oidc-miniflux.age diff --git a/secrets/authelia/oidc-miniflux.age b/secrets/authelia/oidc-miniflux.age new file mode 100644 index 0000000..ec7fbdd --- /dev/null +++ b/secrets/authelia/oidc-miniflux.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSAzbm1k +SmpxNnlXaThldnhzMVhUdjIxN3dIakRsa0RSNXY1SDZtL2FBTlhNCk1JNG1QTG9m +a1F6QlgrZXo2U09GYzFUckNIREN3VXlmN2NFZ1hxSVhOZ1kKLT4gc3NoLWVkMjU1 +MTkgNzJpajd3IDVZaGg5Mk05aUQvaWZsdzFhR1ZVNUVnSUpRSVpVNGFuYy9jMWph +eXJ2QnMKSUNaK3lla2tRUFQvS2tqd0ZneGZjQUVyV2l2U1V5clVudjBtVHJrMHJy +VQotPiBwe2VyW2cpLWdyZWFzZSBVKHYoZ019ciBSIElSWUhuJ1AKMlJ3VWxIcUpH +SEtaUWNLUlFwS08zV3hvNndHSkc1QUsvb1Y4V3lZT0xhaUM2S3p5RHdMWkt6TzVr +U2gvRDYxVwpmZwotLS0gM1drWlhhSHV0aGtSYy9kSTJvMlNrc1JBdnYxVjhwQ3JP +SVhnQWladGc2WQpodvux+sDp5r7EFBwFixva1mfBlEG20nyr/D/ZJXb9NxKazBHI +7IQMBR2LHZoTgIQiNCYCi3rr9HxGUqYCRTvTYd2njhUYNh5qEgHca4Tmbp3OThwr +9gMkYqZrNsxMZpO91R/e6Om9NGc= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0fc46bc..c45715e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -37,6 +37,7 @@ in { "authelia/session.age".publicKeys = [ felschr home-server ]; "authelia/storage.age".publicKeys = [ felschr home-server ]; "authelia/oidc.age".publicKeys = [ felschr home-server ]; + "authelia/oidc-miniflux.age".publicKeys = [ felschr home-server ]; "hass/secrets.age".publicKeys = [ felschr home-server ]; "esphome/password.age".publicKeys = [ felschr home-server ]; "focalboard/.env.age".publicKeys = [ felschr home-server ]; diff --git a/services/authelia.nix b/services/authelia.nix index ba041d5..a1cb6e1 100644 --- a/services/authelia.nix +++ b/services/authelia.nix @@ -25,6 +25,11 @@ in { owner = cfg.user; }; + age.secrets.authelia-oidc-miniflux = { + file = ../secrets/authelia/oidc-miniflux.age; + owner = cfg.user; + }; + services.authelia.instances.main = { enable = true; secrets = { @@ -103,6 +108,14 @@ in { # host = "smtp.web.de"; # port = 587; # }; + identity_providers.oidc.clients = [{ + id = "miniflux"; + secret = + "$pbkdf2-sha512$310000$1iBgcyIDTDzELv49KWtcHQ$WaRknbgeOHPWIc1BdQsUJaftwISJlY5S1Nyw6Z5omPvnZINhPyn7WVMgogVv1Dekmici7Oz7opb8S7uQAc8hzw"; + redirect_uris = [ "https://news.felschr.com/oauth2/oidc/callback" ]; + authorization_policy = "one_factor"; + scopes = [ "openid" "email" "profile" ]; + }]; }; }; diff --git a/services/miniflux.nix b/services/miniflux.nix index f278712..a2d6d21 100644 --- a/services/miniflux.nix +++ b/services/miniflux.nix @@ -1,13 +1,25 @@ -{ config, pkgs, ... }: +{ config, ... }: -let port = 8002; +let + domain = "news.felschr.com"; + port = 8002; in { age.secrets.miniflux.file = ../secrets/miniflux.age; services.miniflux = { enable = true; adminCredentialsFile = config.age.secrets.miniflux.path; - config = { LISTEN_ADDR = "localhost:${toString port}"; }; + config = { + LISTEN_ADDR = "localhost:${toString port}"; + BASE_URL = "https://${domain}"; + OAUTH2_PROVIDER = "oidc"; + OAUTH2_CLIENT_ID = "miniflux"; + OAUTH2_CLIENT_SECRET_FILE = + config.age.secrets.authelia-oidc-miniflux.path; + OAUTH2_REDIRECT_URL = "https://news.felschr.com/oauth2/oidc/callback"; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.felschr.com"; + OAUTH2_USER_CREATION = "1"; + }; }; services.nginx = {